Added ability to enable auth for MongoDB on puppet >= 4 using a crazy…

… hack

.gitignore

@@ -8,3 +8,4 @@ bin
 coverage
 pkg
 vendor
+Puppetfile.lock

README.md

@@ -260,35 +260,6 @@ in its prefetch step when authentication hasn't been configured yet on
 the database. The error can be safely ignored. Auth and databases will be 
 configured normally. Subsequent runs of puppet will not show this error.
 
-### MongoDB (Puppet >= 4.0)
-
-When running the initial install of `st2` you will see an error from the 
-MongoDB module :
-
-```
-Error: Could not prefetch mongodb_database provider 'mongodb': Could not evaluate MongoDB shell command: load('/root/.mongorc.js'); printjson(db.getMongo().getDBs())
-```
-
-This error is caused by a deficiency in this module trying to use authentication
-in its prefetch step when authentication hasn't been configured yet on
-the database. This results in a failure and stops processing.
-
-In these cases we need to disable auth for MongoDB using the `mondob_auth` variabe.
-This can be accomplished when declaring the `::st2` class:
-
-``` puppet
-class { '::st2':
-  mongodb_auth => false,
-}
-```
-
-Or in hiera:
-
-``` yaml
-st2:
-  mongodb_auth: false
-```
-
 ### Ubuntu 14.04
 
 Because 14.04 ships with a very old version of puppet (3.4) and most puppet modules

docs/TODO.md

@@ -25,3 +25,4 @@
 - Bolt Task for upgrading StackStorm
 - Tasks for various CLI commands
 - Proper provider implementation for key/value pairs
+- StackStorm facts

manifests/profile/mistral.pp

@@ -90,7 +90,7 @@
       require     => [Postgresql::Server::Role[$db_username],
                       Ini_Setting['database_connection']],
       subscribe   => Postgresql::Server::Database[$db_name],
-      before      => File['/etc/facter/facts.d/mistral_bootstrapped.txt'],
+      before      => Facter::Fact['mistral_bootstrapped'],
       notify      => [Exec['populate mistral database'],
                       Service['mistral']],
     }
@@ -100,19 +100,15 @@
       refreshonly => true,
       path        => ["${mistral_root}/bin"],
       subscribe   => Exec['setup mistral database'],
-      before      => File['/etc/facter/facts.d/mistral_bootstrapped.txt'],
+      before      => Facter::Fact['mistral_bootstrapped'],
       notify      => Service['mistral'],
     }
   }
   ### End Mistral Database ###
 
   # Once everything is done, let the system know so we can avoid some future processing
-  file { '/etc/facter/facts.d/mistral_bootstrapped.txt':
-    ensure  => file,
-    owner   => 'root',
-    group   => 'root',
-    mode    => '0444',
-    content => 'mistral_bootstrapped=true',
+  facter::fact { 'mistral_bootstrapped':
+    value => bool2str(true),
   }
 
   ### Setup Mistral Service ###
@@ -133,7 +129,7 @@
   Package<| tag == 'st2::mistral::packages' |>
   -> Ini_setting <| tag == 'mistral' |>
   -> Postgresql::Server::Database[$db_name]
-  -> File['/etc/facter/facts.d/mistral_bootstrapped.txt']
+  -> Facter::Fact['mistral_bootstrapped']
   -> Service['mistral']
 
   ### End Dependencies ###

manifests/profile/mongodb.pp

@@ -78,17 +78,104 @@
         admin_username => $::st2::params::mongodb_admin_username,
         admin_password => $db_password,
       }
+
+      # Fix mongodb auth for puppet >= 4
+      # In puppet-mongodb module, latest versions used with Puppet >= 4, the
+      # auth parameter is broken and doesn't work properly on the first run.
+      # https://github.com/voxpupuli/puppet-mongodb/issues/437
+      #
+      # The problem is because Puppet enables auth before setting the password
+      # on the admin database.
+      #
+      # The code below fixes this by first disabling auth, then creates the
+      # database, the re-enables auth.
+      #
+      # To prevent this from running every time we've create a puppet fact
+      # called $::mongodb_auth_init that is set when
+      if versioncmp( $::puppetversion, '4.0.0') >= 0 and !$::mongodb_auth_init {
+
+        # unfortinately there is no way to synchronously force a service restart
+        # in Puppet, so we have to revert to exec... sorry
+        include ::mongodb::params
+        if (($::osfamily == 'Debian' and $::operatingsystemmajrelease == '14.04') or
+            ($::osfamily == 'RedHat' and $::operatingsystemmajrelease == '6')) {
+          $_mongodb_stop_cmd = "service ${::mongodb::params::service_name} stop"
+          $_mongodb_start_cmd = "service ${::mongodb::params::service_name} start"
+          $_mongodb_restart_cmd = "service ${::mongodb::params::service_name} restart"
+        }
+        else {
+          $_mongodb_stop_cmd = "systemctl stop ${::mongodb::params::service_name}"
+          $_mongodb_start_cmd = "systemctl start ${::mongodb::params::service_name}"
+          $_mongodb_restart_cmd = "systemctl restart ${::mongodb::params::service_name}"
+        }
+        $_mongodb_exec_path = ['/usr/sbin', '/usr/bin', '/sbin', '/bin']
+
+        # stop mongodb; disable auth
+        exec { 'mongodb - stop service':
+          command => $_mongodb_stop_cmd,
+          unless  => 'grep "^security.authorization: disabled" /etc/mongod.conf',
+          path    => $_mongodb_exec_path,
+        }
+        exec { 'mongodb - disable auth':
+          command     => 'sed -i \'s/security.authorization: enabled/security.authorization: disabled/g\' /etc/mongod.conf',
+          refreshonly => true,
+          path        => $_mongodb_exec_path,
+        }
+        facter::fact { 'mongodb_auth_init':
+          value => bool2str(true),
+        }
+
+        # start mongodb with auth disabled
+        exec { 'mongodb - start service':
+          command     => $_mongodb_start_cmd,
+          refreshonly => true,
+          path        => $_mongodb_exec_path,
+        }
+
+        # create mongodb admin database with auth disabled
+
+        # enable auth
+        exec { 'mongodb - enable auth':
+          command => 'sed -i \'s/security.authorization: disabled/security.authorization: enabled/g\' /etc/mongod.conf',
+          unless  => 'grep "^security.authorization: enabled" /etc/mongod.conf',
+          path    => $_mongodb_exec_path,
+        }
+        exec { 'mongodb - restart service':
+          command     => $_mongodb_restart_cmd,
+          refreshonly => true,
+          path        => $_mongodb_exec_path,
+        }
+
+        # ensure MongoDB config is present and service is running
+        Class['mongodb::server::config']
+        -> Class['mongodb::server::service']
+        # stop mongodb; disable auth
+        -> Exec['mongodb - stop service']
+        ~> Exec['mongodb - disable auth']
+        ~> Facter::Fact['mongodb_auth_init']
+        # start mongodb with auth disabled
+        ~> Exec['mongodb - start service']
+        # create mongodb admin database with auth disabled
+        -> Mongodb::Db['admin']
+        # enable auth
+        ~> Exec['mongodb - enable auth']
+        ~> Exec['mongodb - restart service']
+        # create other databases
+        -> Mongodb::Db <| title != 'admin' |>
+      }
     }
     else {
       class { '::mongodb::server':
         port => $db_port,
       }
     }
 
+    # setup proper ordering
     Class['mongodb::globals']
     -> Class['mongodb::client']
     -> Class['mongodb::server']
 
+    # Handle more special cases of things that didn't work properly...
     case $::osfamily {
       'RedHat': {
         Package <| tag == 'mongodb' |> {

manifests/test/fullinstall.pp

@@ -1,13 +1,4 @@
-# Auth in MongoDB module with new versions of puppet causes an error
-if versioncmp($::puppetversion, '4.0.0') >= 0 {
-  $_mongodb_auth = false
-}
-else {
-  $_mongodb_auth = true
-}
-
 class { '::st2':
-  mongodb_auth         => $_mongodb_auth,
   chatops_adapter_conf => {
     'HUBOT_ADAPTER' => 'slack',
   },